Sample SAML property-value pairs for Azure Active Directory

A sample set of property-value pairs to put in a text file and apply to the SetupSAML.ps1 PowerShell script.

TokenIssuerCertThumbprint=new
TokenIssuerCertFriendlyName=Token Issuer Certificate
TokenIssuerCertPassword=password1
CoreServiceCertThumbprint=new
CoreServiceCertFriendlyName=Core Service Certificate
CoreServiceCertPassword=password2
CoreServiceType=Windows Service
TCM_Name=azure
SamlAdminUser=azure:test@example.com
issuer=https://sts.windows.net/a17506cd-02aa-4456-bedf-73f795839435/
SP_Audience=spn:89b4021a-37af-4307-b8e5-2a6c3a655dfc
SP_AssertionConsumerServiceUrl=~/WebUI/
Name=https://sts.windows.net/a17506cd-02aa-4456-bedf-73f795839435/
Description=Azure AD
SignLogoutRequest=true
WantSAMLResponseSigned=false
WantAssertionSigned=true
WantLogoutResponseSigned=true
UseEmbeddedCertificate=true
SignatureMethod=http://www.w3.org/2000/09/xmldsig#rsa-sha1
SingleSignOnServiceUrl=https://login.microsoftonline.com/a17506cd-02aa-4456-bedf-73f795839435/saml2/
SingleLogoutServiceUrl=https://login.microsoftonline.com/a17506cd-02aa-4456-bedf-73f795839435/saml2/
The following properties are optional:
uniqueNameClaimType=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

The line above instructs SDL Tridion Sites to set the UniqueName Claim to the value of the attribute called http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, rather than to the default, which is the value of NameID.

displayNameClaimType=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

The line above instructs SDL Tridion Sites to set the DisplayName Claim to the value of the attribute called http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname, rather than to the default, which is the value of the UniqueName Claim.

groupClaimType=http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

The line above is mandatory if you use the group mapping functionality. It instructs SDL Tridion Sites to set the GroupId Claim to the value of the attribute called http://schemas.xmlsoap.org/ws/2008/06/identity/claims/groups. There is no default, so a failure to set this property means group mapping will not work and the user will be denied access (if you use group mapping as a feature).